Secure method to change a password using Group Policies

We are looking for a new way (a secure method) in setting a password via Group Policy. There are several methods listed on the internet however none I have found are secure methods.
1. Set the password via a bat, vbs, or ps file and put it in the scripts section of the GPO. This works however the password is in clear text in the file and the command with the password gets stored in the registry on all the PC's. So you can compile the
script to an exe which helps, it is no longer clear text anywhere but it can be decompiled into clear text. So you can restrict the folder this exe script is stored in so that only computers can get to it but still, malware and other people smart enough can
get in there.
2. Use Group Policy Preferences. This seemed like a good idea until I found this:
http://www.grouppolicy.biz/2013/11/why-passwords-in-group-policy-preference-are-very-bad/
and it looks like this is phased out after an update in May 2014.
So what do you do? I want the same local admin password on all PC's and I want the ability to change it quarterly which GPO's made that easy but it looks like not securely. Anyone know any third party tools to encrypt and or compile a script that can run
in a GPO? Or any other good methods to accomplish this?
Thanks in advance.
Life moves pretty fast. If you don't stop and look around once in a while, you could miss it.

Thanks for all the replies.
seansobey: That is the method I referred to in option 2. It is strongly recommended against doing and is no longer affective as of a patch released in May
2014.
Anthony Caragol: True however we have a lot of machines that are on the road and may only get GPO's applied every so often or non persistent pc's
and servers may not be on the same schedule as the password update so these cases need to be updated on demand. With a group policy it is always running (sortof).
On the powershell script or the CPassword thing, that sort of falls in between the two. The CPassword would be hackable during the time it is present but removes itself as soon as it is run. So then how does it run on all machines and know when it is done?
(hypothetical question not looking for an answer).
SenneVL: I think the path of least headache is to follow #1 and bullet #3. Set the local admin pw to a random password generated on each pc reboot and do
not give it out for anyone to use. The desktop admin staff have their own they can use already so this makes most sense. Now to get management to agree...that's another story :)
Thanks again everyone for your replies and thoughts. They all are appreciated.
Life moves pretty fast. If you don't stop and look around once in a while, you could miss it.

Similar Messages

  • Not able to change the password using FNDCPASS

    I am not able to change password using FNDCPASS. I am getting follwoing error while executing following command with APPLMGR user ( before that I have source the .env file ) (OS-Linux)
    [applmgr@ora11 /]$ FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS WELCOME
    Log filename : L2741743.log
    Report filename : O2741743.out
    APP-FND-01630: Cannot open file L2741743.log for appending
    Cause: FDPFOP encountered an error when attempting to open file L2741743.log for appending.
    Action: Verify that the filename is correct and that the environment variables controlling that filename are correct.
    Action: If the file is opened in read mode, check that the file exists. Check that you have privileges to read the file in the file directory. Contact your system administrator to obtain read privileges.
    Action: If the file is opened in write or append mode, check that you have privileges to create and write files in the file directory. Contact your system administrator to obtain create and write privileges.
    Can some one pls guide me on this

    Duplicate post-
    Not able to change the password using FNDCPASS
    Please post only once.
    Thanks,

  • Unable to change APPS password using FNDCPASS

    Hi All,
    Having issues with changing APPS password using FNDCPASS utility. Trying this on Windows 2003 with 11.5.10.2 VISION instance.
    The command given is:
    FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS WELCOME
    Here is the text from the log file:
    APP-FND-01502: Cannot encrypt application ORACLE password
    Cause: Application Object Library was unable encrypt your ORACLE password.
    Action: Contact your support representative. (ORACLEUSER=APPS_SERV)
    Not sure how to resolve this issue. Any help, pointers are appreciated.
    Thanks,
    Jags

    It worked. Thanks a lot for the pointers. Never expected that the UTF8 would be an issue for changing the APPS password.
    What I did to resolve:
    (1) Stopped all Oracle windows services
    (2) Updated the NLS_LANG value(all appearances) in registry to WE8ISO8859P1
    (3) Started Database Listeners
    (4) Executed FNDCPASS
    (5) Updated WDBSVR.APP
    (6) Updated CGICMD.DAT
    (7) Updated concurrent manager passwd using CCMSETUP
    (8) Updated the NLS_LANG value(all appearances) in registry to UTF8
    (9) Restarted all Oracle windows services

  • HT201303 How do I change the security questions without changing my password?

    When I am trying to buy something from the iTunes store it askes me two security questions. I know what the answers should be but they do not seem to match what Apple has. So, I tried to change the questions but now it also wants me to change teh password. I don't want to change the password. How can I eitehr find out my answers or change the questions without changing a password I obviously know!?!?!

    Reset Security Questions
    Frequently asked questions about Apple ID
    Manage My Apple ID
    Or you can email iTunes Support at iTunes Store Support.
    If all else fails:
      1. Go to: Apple Express Lane;
      2. Under Product Categories choose iTunes;
      3. Then choose iTunes Store;
      4. Then choose Account Management;
      5. Now choose iTunes Store Security and answer the bullet questions, then click
          Continue;
      6. Sign in with your Apple ID and press Continue;
      7. Under Contact Options fill out the information and advise iTunes that you would
          like your security/challenge questions reset;
      8. Click Send/Continue.
    You should get a response within 24 hours by email.
    In the event you are unsuccessful then contact AppleCare - Contacting Apple for support and service.
    Another user had success doing the following:
    I got some help from an apple assistant on the phone. It is kind of round about way to get in.
    Here is what he said to do and it is working for me...
      a. on the device that is asking you for the security questions go to "settings", > "store" >
          tap the Apple ID and choose view"Apple ID" and sign in.
      b. Tap on payment information and add a credit/debit card of your preference then select
          "done", in the upper right corner
      c. sign out and back into iTunes on the device by going to "settings"> "store" > tap the
          Apple ID and choose "sign-out" > Tap "sign -in" > "use existing Apple ID" and you
          should be asked to verify your security code for the credit /debit card and NOT the
          security questions.
      d. At this time you can remove the card by going back in to edit the payment info and
          selecting "none" as the card type then saving the changes by selecting "done". You
          should now be able to use your iTunes store credit without answering the security
          questions.
    It's working for me ...I just have to put in my 3 digit security pin from the credit card I am using.
    Good Luck friends!

  • By mistake I have changed the password using iChain but the website still utilises the old password that iChain originally created. How can I find out the original password that was created?

    I created a password using iChain whilst on a website where I have an account. For some reason, I needed to change the password and it seems that the website can only be accessed using the original chain password. I do not have a record of it and it is not in my iChain password list. Can I find what historical passwords were used?

    i am also have the same thing how can i get they out from my game center ?

  • Not able to connect after changing the password using ALTER VALUES clause

    Hi,
    Just now John explained about VALUES clause in below thread.
    Expired Status
    I created a new account called SURI and tried to use the user account HR's password using VALUES clause. I was able to alter the password but not able to connect SURI with hr password.
    Please see the version details below. And the SQL statements which I have tried.
    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Aug 13 18:44:50 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.
    Enter user-name: sys as sysdba
    Enter password:
    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
    SQL> SELECT password
      2  FROM dba_users
      3  WHERE username = 'HR';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> ALTER USER SURI IDENTIFIED BY VALUES '4C6D73C3E8B0F0DA';
    User altered.
    SQL> SELECT password
      2  FROM dba_users
      3  WHERE username='SURI';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> conn suri/hr     -- HR account's password is hr only
    ERROR:
    ORA-01017: invalid username/password; logon denied
    Warning: You are no longer connected to ORACLE.
    SQL>Thanks,
    Suri

    Suri wrote:
    Hi,
    Just now John explained about VALUES clause in below thread.
    Expired Status
    I created a new account called SURI and tried to use the user account HR's password using VALUES clause. I was able to alter the password but not able to connect SURI with hr password.
    Please see the version details below. And the SQL statements which I have tried.
    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Aug 13 18:44:50 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.
    Enter user-name: sys as sysdba
    Enter password:
    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
    SQL> SELECT password
    2  FROM dba_users
    3  WHERE username = 'HR';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> ALTER USER SURI IDENTIFIED BY VALUES '4C6D73C3E8B0F0DA';
    User altered.
    SQL> SELECT password
    2  FROM dba_users
    3  WHERE username='SURI';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> conn suri/hr     -- HR account's password is hr only
    ERROR:
    ORA-01017: invalid username/password; logon denied
    Warning: You are no longer connected to ORACLE.
    SQL>Thanks,
    SuriYou can only do it for the same user, as the password is a hashed value that includes the username as part of the hashing (It's either the username or some internal object id or something). So using the hashed value against another user won't work.

  • I have an old Apple ID connected to a discontinued e-mail address.  I want to delete it.  I cannot remember my password and when I try to change the password using the security questions, it rejects my birth date!  I can't change it by cancelled e-mail.

    I have an old Apple ID associated with a discontinued e-mail address.  It keeps popping up when I try to update apps.  I don't remember the password.  When I try to change it by security questions, it rejects my birthdate!  I can't change it by e-mail because I no longer have access to the e-mail.  All I really want to do is cancel this old ID.  How can I do this?  Obviously, I have a new ID, since I am using this support community.

    You'll have to contact iTunes store support to see if they can help you with this: http://www.apple.com/emea/support/itunes/contact.html.

  • Change expired password using oracle jdbc thin driver

    Hello,
    I have a java program that uses the oracle jdbc thin driver (ojdbc6 - version 11.2.0.3) for database connection. My question is if I have any possibility to change an expired password (java.sql.SQLException: ORA-28001: the password has expired) using the thin driver - NOT OCI?

    No - the thin driver doesn't have any password management features.

  • Can you prevent the use of consecutive numbers in a password, using Group Policy?

    The regular old password complexity requirements disallow the use of 3 consecutive characters that appear in the user's account name / display name, but does not prevent the use of consecutive numbers at all. For example, a user can have a password including
    the string "12345". We have the need to disallow this via GP in order to make our passwords compatible with an outside service to which we would like to synchronize. I see no way to do this with the typical Password Policy settings. Anyone out
    there have any hints as to how I might accomplish this?
    This is on a Windows Server 2008 R2 Domain.

    Am 24.09.2014 um 20:01 schrieb dklein73:
    > We have the need to disallow this via GP in order to make our passwords
    > compatible with an outside service to which we would like to
    > synchronize. I see no way to do this with the typical Password Policy
    > settings. Anyone out there have any hints as to how I might accomplish this?
    You need a custom password filter dll on your DCs:
    http://msdn.microsoft.com/library/ms721766.aspx
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Unable to reset the variable value in the method value change event and use

    Hi ,
    int i=4;
    public changevalue(ValueChangeEvent ValueChangeEvent)
    //some code
    i=5;
    system.out.println("in changevalue method="+i)// this prints i value as 5
    public void submit(ActionEvnet actionEvent){
    //somecode
    system.out.println("in submit="+i) // this prints value 4;though its value is changed as 5 in above mehtod
    how can i get the value as i=5 in second method(i.e, in submit method)??

    Hi 980230,
    When I tried the same thing it gives me 5 in the submit method.
    Are you sure that ValueChange method is getting invoked before the actionEvent method?
    Its better to debug the application, you will get the exact flow and error if any....
    Thanks
    --NavinK                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  • Changing admin passwords using ARD/root?

    Due to losing some key personnel who had access to our administrator passwords, we need to change all of them. Does anybody know if this might could be done by sending some UNIX command as root to the necessary machines?
    I realize I'm probably out of luck, but it sure would be nice to have a way to change them without having to touch every stinking machine!
    Message was edited by: LostTexan

    Send 1 of 2 Unix commands:
    passwd username
    newpassword
    newpassword
    OR
    dscl . -passwd /Users/username newpassword
    Also, please note that question has been asked and answered many times in the past, so you should always try and help yourself by doing a search before posting.

  • How to hide Show characters in Wifi Password using Group policy

    Hi,
    I need to hide the wifi pass key to all the clients.
    Iam planning to apply group policy to the users. Can anyone help me to sort out this issue.
    Regards.,
    Srinivas.
    SRINIVAS

    Hi,
    Can you share me the Configuration of RADIUS/802.11x Server. While configuring it is
    asking for WAN IP address. Which IP address i have to give?
    1) Is it an IP address given by the network service provider?
    2) Is it an IP address of the server?
    3)Is
    it an IP address of the firewall?
    The Server IP address is as follows:
    IP: 192.168.50.11
    Gateway: 192.168.50.1
    DNS: 192.168.50.1
    Thanks.,
    Srinivas.
    SRINIVAS

  • Hello, I am on an iMac. I recently changed my password using the start up disc, now I have a thick lined rectangle, transparent, following my wireless track pad pointer all arount my moniter. The pointer is inside of it?

    Hi, I think I covered everything in my subject?
    Thanks,
    Blueheelercd

    Open Universal Access preferences to turn it off. Should be part of Voice Over.

  • Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

    Hello,
    I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
    but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
    *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
    *If anyone can help me figure out why it doesn't work, that would be great!*
    P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
    Here's my java code:
    {code}import javax.naming.*;
    import javax.security.auth.*;
    import java.security.PrivilegedAction;
    import java.io.UnsupportedEncodingException;
    public void changeSecret((String uid, String oldPassword, String newPassword)
         throws NamingException, ACException{
    try {
         K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
         LoginContext lc = new LoginContext("marker", cb);
         lc.login();
         Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
         catch(LoginException e) {
         try {
              lc.logout();
         catch(LoginException e) {
    }ChangePasswordAction.java is:import javax.naming.*;
    import javax.naming.naming.directory.*;
    import java.io.UnsupportedEncodingException;
    private class ChangePasswordAction implements PrivilegedAction {
         private String uid;
         private String quotedOldPassword;
         private String quotedNewPassword;
         public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
              this.uid = uid;
              quotedOldPassword = "\"" + oldPassword + "\"";
              quotedNewPassword = "\"" + newPassword + "\"";
         public Object run() {
              Hashtable env = new Hashtable(11);
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
              env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
              try {
                   DirContext ctx = new InitialDirContext(env);
                   ModificationItem[] mods = new ModificationItem[2];
                   byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                   byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                   mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                   mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                   ctx.modifyAttributes(uid, mods);
                   ctx.close();
              } catch (NamingException e) {
              } catch (UnsupportedEncodingException e) {
              return null;
    }K5CallbackHandler is:import javax.security.auth.callback.*;
    final class K5CallbackHandler
    implements CallbackHandler {
         private final String name;
         private final char[] passwd;
         public K5CallbackHandler(String nm, String pw) {
              name = nm;
              if(pw == null) {
                   passwd = new char[0];
              else {
                   passwd = pw.toCharArray();
         public void handle(Callback[] callbacks)
         throws java.io.IOException, UnsupportedCallbackException {
              for(int i = 0; i < callbacks.length; i++) {
                   if(callbacks[i] instanceof NameCallback) {
                        NameCallback cb = (NameCallback) callbacks;
                        cb.setName(name);
                   else {
                        if(callbacks[i] instanceof PasswordCallback) {
                             PasswordCallback cb = (PasswordCallback) callbacks[i];
                             cb.setPassword(passwd);
                        else {
                             throw new UnsupportedCallbackException(callbacks[i]);
    }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
    marker {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

    This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
    My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
    Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
    In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
    Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
    //Eg. auth-conf; confidentiality, auth-int; integrity
    //confidentiality is required to set a password
    env.put("javax.security.sasl.qop","auth-conf");
    //require high strength 128 bit crypto
    env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
    You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
    Good luck.

  • How to change a password for an OpenLDAP user, which fails when using Lion's System Preferences?

    The Problem
    Users are unable to change their password using System Preferences -> Users & Groups on a Mac that is connected to an LDAP server (specifically, OpenLDAP).
    This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com).
    (a bug report for this issue has been filed with Apple and can be seen on OpenRader @http://openradar.appspot.com/11768796)
    Steps to Reproduce:
    Try to change the password using the System Preferences -> Users & Groups prefpane on Lion. It fails with the following error message:
    The password for the account “bobsmith” was not changed. Your system administrator may not allow you to change your password or there was some other problem with your password. Contact your system administrator for help.
    Expected Results:
    The password should be changed.
    Actual Results:
    The error appears, and on the LDAP server, an error like the following is logged:
    Jun 28 08:42:21 ldap3 slapd[7810]: conn=10518785 op=2 RESULT oid= err=21 text=Invalid DN
    This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com)
    Notes: This was encountered by someone else over at the AFP548.com forums who ended up patching their LDAP server to resolve the issue. This shouldn't require patching LDAP to resolve, however. Lion needs to (at least have an option to) send the full DN of a user requesting to change their password, not the short username:
    Text from above forum link (in case it is taken down):
    So, I’ve got this OpenLDAP server with network home directories at home that all of my Mac machines authenticate to. Everybody can bounce around to whatever Mac is available. It works great.
    Anyway, with Snow Leopard, I was able to change user passwords via System Preferences. However, that got broken when I upgraded to Lion (amongst other things). Both Snow Leopard and Lion send exop’s to the ldap server, but for whatever reason, the id is screwed up in Lion (or at least, it’s screwed up on the two machines at home I tested this with). Instead of sending the user’s DN, e.g. “uid=user,cn=users,ou=something,dc=somewhere,dc=com”, the ldap server is only sent the uid, e.g. “user”. The ldap server is expecting a DN here, so naturally, it fails with the error “Invalid DN”.
    Bummer.
    So, to work around that, I had to patch OpenLDAP (version 2.4.26 in this case). Now, when my server can’t resolve the id it’s given during a password change, it will look at the bind DN, and if the id string is contained within the bind DN string, it will just use the bind DN as the entry to change. I figured this would still allow me to manually specify password changes via an admin account while still giving users the ability to change their own passwords without having to point them at a webpage (lame).
    I should point out that all my accounts have the uid as part of the DN… I guess if you were doing some kind of crazy SASL mappings, this might not work for you…
    Anyway, here’s the patch in case anyone else is interested… If it works for you, great. If not, oh well.
    -- passwd.c 2011-06-30 11:13:36.000000000 -0400 +++ passwd.lion_compatability.c 2012-02-13 22:48:54.213214617 -0500 @@ -18,4 +18,5 @@  #include +#include  #include @@ -59,4 +60,5 @@ int freenewpw = 0; struct berval dn = BER_BVNULL, ndn = BER_BVNULL; +   ber_int_t err;  assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); @@ -102,11 +104,8 @@  if ( !BER_BVISEMPTY( &id ) ) { -       rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); -       id.bv_val[id.bv_len] = idNul; -       if ( rs->sr_err != LDAP_SUCCESS ) { -           rs->sr_text = "Invalid DN"; -           rc = rs->sr_err; -           goto error_return; -       } +       err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); +   } + +   if ( !BER_BVISEMPTY( &id ) && (err == LDAP_SUCCESS) ) { op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -116,4 +115,16 @@ ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx ); ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx ); +       if ( !BER_BVISEMPTY( &id ) ) { +           /* See if the id matches the bind dn */ +           if ( strstr( dn.bv_val, id.bv_val ) == NULL ) +           { +               rs->sr_err = err; /* From dnPrettyNormal */ +               rs->sr_text = "Invalid DN"; +               rc = rs->sr_err; +               goto error_return; +           } +           Statslog( LDAP_DEBUG_STATS, "%s Invalid id (%s) specified; using bind DN (%s)\n", +                   op->o_log_prefix, id.bv_val, dn.bv_val, 0, 0 ); +       } op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -123,4 +134,8 @@ }  +   if ( !BER_BVISEMPTY( &id ) ) { +       id.bv_val[id.bv_len] = idNul; +   } + if( op->o_bd == NULL ) { if ( qpw->rs_old.bv_val != NULL ) { "
    UPDATE (still not working, though)
    I tried to change my password with dscl too, like so:
    $ dscl -u bobsmith -p /LDAPv3/ldap -passwd /Users/bobsmith
    ...and this generated the following after I input my current password and a new one:
    Password: New Password: passwd: DS error: eNotYetImplemented DS Error: -14988 (eNotYetImplemented)
    On my OpenLDAP server, it generated:
    Jul  3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 ACCEPT from IP=10.0.1.3:64485 (IP=0.0.0.0:636) Jul  3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 closed (TLS negotiation failure) Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 ACCEPT from IP=10.0.1.3:64486 (IP=0.0.0.0:636) Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 TLS established tls_ssf=256 ssf=256 Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH attr=supportedSASLMechanisms defaultNamingContext namingContexts schemaNamingContext Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 RESULT tag=97 err=0 text= Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH attr=objectClass apple-generateduid uid uidNumber userPassword cn Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 PASSMOD old Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 RESULT oid= err=53 text=old password value is empty Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=6 UNBIND Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 fd=1633 closed
    If I run the same dscl command from a Snow Leopard machine, it works without an error:
    $ dscl -u bobsmith -p /LDAPv3/myldapserver.com -passwd /Users/bobsmith Password: New Password:
    It generates these logs on the server
    Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 ACCEPT from IP=10.0.1.2:51013 (IP=0.0.0.0:636) Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 TLS established tls_ssf=256 ssf=256 Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=1 UNBIND Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 closed Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 ACCEPT from IP=10.0.1.2:51014 (IP=0.0.0.0:636) Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 TLS established tls_ssf=256 ssf=256 Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 RESULT tag=97 err=0 text= Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH attr=uid cn Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH attr=uid cn Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 PASSMOD id="uid=bobsmith,ou=Users,dc=mycompany,dc=com" new Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 RESULT oid= err=0 text= Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul  3 12:03:32 ldap slapd[7810]: conn=12293659 op=7 UNBIND Jul  3 12:03:32 ldap slapd[7810]: conn=12293659 fd=1283 closed

    Hi Koen,
    I tried to test this, but for me its working sorry(!). Here are the details of what I did in case that helps you diagnose....
    # add the 2 test users
    ldapadd -h $my_ldaphost -p $my_ldapport -D $my_adminuid -w $my_adminpwd <<EOF
    dn: cn=TEST_A, cn=Users, dc=myco,dc=com
    sn: TEST_A
    mail: [email protected]
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserv2
    objectclass: organizationalperson
    objectclass: person
    objectclass: top
    uid: TEST_A
    cn: TEST_A
    dn: cn=TEST_B, cn=Users, dc=myco,dc=com
    sn: TEST_B
    mail: [email protected]
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserv2
    objectclass: organizationalperson
    objectclass: person
    objectclass: top
    cn: TEST_B
    uid: TEST_B
    EOF
    # reset the passwords
    sqlplus /nolog <<EOF
    conn orasso/${orclpasswordattribute}@${my_sid}
    set serveroutput on
    exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_A', p_subscriber_nickname => null, p_newpwd => 'password1');
    exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_B', p_subscriber_nickname => null, p_newpwd => 'password1');
    exit
    EOF
    [oracle@myhost bin]$ ldapbind -D cn=TEST_A,cn=Users,dc=myco,dc=com -w password1
    bind successful
    [oracle@myhost bin]$ ldapbind -D cn=TEST_B,cn=Users,dc=myco,dc=com -w password1
    bind successful

Maybe you are looking for

  • Error in IDOC to SOAP

    I am doing IDOC to SOAP(3rd party) scenario and I get this error   <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> - <!--  Call Adapter   --> - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soa

  • Screen not displaying correctly. It keeps moving as the mouse moves

    Screen not displaying correctly. It keeps moving as the mouse moves

  • I need your support with answer, I need your support with answer

    I need your help with question answer due to i charged 100 $

  • SUN image cache performance

    Hi, I recognized a large delay when accessing dynamically generated images via Applet.getImage(myServletURL), it took up to 2000+ms per image to load its content completely. Then I cleared all temporary files using the Java 1.6_02 control panel, and

  • Distributed Server Session management

    Hi, I wanted to know how to maintain the session in the case when the servers are in a distributed environment, i mean the http request is sent to one server which inturn checks if any of the web-servers is free and redirects the request to it. When